keep_caps: make effective caps eq to permitted

diff --git a/contain.c b/contain.c
index 4b29e6ccc877fef306dd64a8d0235a3b10657595..1ab9e69ed14b95d71b648713af956cfa6c4dcbd1 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -112,6 +112,7 @@ static bool containDropPrivs(struct nsjconf_t *nsjconf)
        if (nsjconf->keep_caps == true) {
                for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; i++) {
                        cap_data[i].inheritable = cap_data[i].permitted;
+                       cap_data[i].effective = cap_data[i].permitted;
                }
                if (syscall(__NR_capset, &cap_hdr, &cap_data) == -1) {
                        PLOG_E("capset()");